Tiger Scheme QST/CTM Standard

Similar documents
Tiger Scheme SST Standards Web Applications

IoT & SCADA Cyber Security Services

VULNERABILITY ASSESSMENT: SYSTEM AND NETWORK PENETRATION TESTING. Presented by: John O. Adeika Student ID:

Objectives of the Security Policy Project for the University of Cyprus

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Vulnerability Assessments and Penetration Testing

A Passage to Penetration Testing!

Application Security Approach

SECURITY & PRIVACY DOCUMENTATION

Terms, Methodology, Preparation, Obstacles, and Pitfalls. Vulnerability Assessment Course

EXECUTIVE REPORT ADOBE SYSTEMS, INC. COLDFUSION SECURITY ASSESSMENT

Security Solutions. Overview. Business Needs

Information Security Controls Policy

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

How AlienVault ICS SIEM Supports Compliance with CFATS

CompTIA Cybersecurity Analyst+

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

External Supplier Control Obligations. Cyber Security

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

Information Technology General Control Review

Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

ASSURANCE PENETRATION TESTING

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Choosing the Right Security Assessment

A company built on security

Daxko s PCI DSS Responsibilities

An ICS Whitepaper Choosing the Right Security Assessment

Education Network Security

Penetration testing.

CyberSecurity. Penetration Testing. Penetration Testing. Contact one of our specialists for more information CYBERSECURITY SERVICE DATASHEET

RiskSense Attack Surface Validation for Web Applications

Advanced Security Tester Course Outline

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Standard for Security of Information Technology Resources

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Monthly Cyber Threat Briefing

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Department of Management Services REQUEST FOR INFORMATION

NEN The Education Network

FRONT RUNNER DIPLOMA PROGRAM Version 8.0 INFORMATION SECURITY Detailed Course Curriculum Course Duration: 6 months

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Canada Life Cyber Security Statement 2018

CCISO Blueprint v1. EC-Council

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Manchester Metropolitan University Information Security Strategy

Development Authority of the North Country Governance Policies

Security analysis and assessment of threats in European signalling systems?

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Ethical Hacking and Prevention

Cloud Customer Architecture for Securing Workloads on Cloud Services

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

QuickBooks Online Security White Paper July 2017

E-guide Getting your CISSP Certification

The GenCyber Program. By Chris Ralph

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

ISC2 EXAM - CISSP. Certified Information Systems Security Professional. Buy Full Product.

Changing face of endpoint security

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Protect Your Organization from Cyber Attacks

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Protecting your data. EY s approach to data privacy and information security

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Forensics and Active Protection

Trustwave Managed Security Testing

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

Web Application Penetration Testing

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

RiskSense Attack Surface Validation for IoT Systems

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

CoreMax Consulting s Cyber Security Roadmap

Vulnerability Management

Checklist: Credit Union Information Security and Privacy Policies

Integrated Access Management Solutions. Access Televentures

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Standard CIP Cyber Security Critical Cyber Asset Identification

Network Security Assessment

Indicate whether the statement is true or false.

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Total Security Management PCI DSS Compliance Guide

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

Keys to a more secure data environment

EXAM PREPARATION GUIDE

WORKSHARE SECURITY OVERVIEW

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Ingram Micro Cyber Security Portfolio

Software Development & Education Center Security+ Certification

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

Wireless e-business Security. Lothar Vigelandzoon

Compliance Audit Readiness. Bob Kral Tenable Network Security

What every IT professional needs to know about penetration tests

CYBER SECURITY POLICY REVISION: 12

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Transcription:

Tiger Scheme QST/CTM Standard Title Tiger Scheme Qualified Security Tester Team Member Standard Version 1.2 Status Public Release Date 21 st June 2011 Author Professor Andrew Blyth (Tiger Technical Panel) Review Date 1 st July 2012 Version Date Author Changes and Comments 1.0 01/02/2010 Professor Andrew Blyth DRAFT 1.1 10/04/2010 Professor Andrew Blyth FINAL VERSION 1.2 21/06/2011 Professor Andrew Blyth FINAL VERSION

Table of Contents 1. Introduction... 3 1.1 Aims and Objectives... 3 1. The Standard... 4 2.1 Understand Requirements... 4 2.2 Defining Scope... 5 2.3 Legal Issues... 5 2.4 Planning and Management... 6 2.5 Managing risk... 6 2.5 Testing Methodology... 7 2.6 Testing platform... 7 3.0 Technical Expertise... 8 3.1 Technology and Vulnerabilities... 8 3.2 Assessing Network Design... 9 3.3 Assessing Application Design... 10 3.4 Security Testing Enumeration... 10 3.5 Security Testing Identification and Proof of Issues... 11 3.6 Security Testing Classifying Risk... 12 3.7 Remediation... 13 4 Deliverables... 14 4.1 Management Presentation of Results... 14 4.2 Technical Presentation of Results... 14

1. Introduction 1.1 Aims and Objectives 1.1.1 This document is intended to define the base-line technical standards for the TIGER Scheme Qualified Security Tester Member (QSTM) level. This level is technically equivalent to a CHECK Team Member 1.1.2 The Qualified Security Tester Member is expected to possess and have the ability to demonstrate a wide range of skills and knowledge associated with security testing and assessment. 1.1.3 The nature of the assessment for a Qualified Security Tester Member is that of an assault course whereby the candidate is expected to discuss numerous aspects of security testing and subsequently to demonstrate technical capability on specially designed and maintained assault course networks. 1.1.4 The objective of the assault course is to evaluate the candidate in an environment that mimics a typical real-world security-testing scenario as much as possible. 1.1.5 The areas of expertise that are to be assessed at the TIGER Qualified Security Tester Member level consist of three overall aspects categorised as follows: o Management, Ethics & Compliance: Demonstration of knowledge and capability in areas such as legal knowledge, understanding customer requirements, the scoping of security assessments, the planning and management of engagements, risk management throughout engagements and the use of a suitable security testing platform. o Technical Expertise: Demonstration of knowledge and capability in areas including design and architecture security assessments, security testing of infrastructure and applications, the classification of technical risk and the ability to provide coherent remediation recommendations for identified security vulnerabilities and exposures. o Deliverables: Demonstration of capability in the preparation and presentation of security testing results to both non-technical and technical audiences. In both instances the results will be documented providing a summary of the issue, the impact and risk along with relevant recommendations 1.1.6 These aspects have been chosen in an attempt to ensure that the security testing requirements and concerns of industry are incorporated into the individual candidate evaluation process.

1.1.7 The assessment for a Tiger Qualified Security Tester Member consists of four parts: A multiple choice assessment (30 Minutes) A written examination (2 Hours) A practical assessment via an assault course (3 Hours) A viva (30 Minutes) 1.1.8 The Qualified Security Tester Member assault course is an assessment of technical skill and is designed to evaluate the candidate as a whole and their capabilities across the security-testing spectrum. 1.1.9 The pass marks for each element of the QSTM/CTM assessment is 60% and a successful candidate must pass all components of assessment. 1. The Standard 2.1 Understand Requirements Demonstrate the ability to understand customer requirements and set customer expectations for a given security-testing scenario. A1 The candidate MUST liaise effectively with the assessor who will provide a list of requirements and constraints for the security-testing scenario. Typical requirements that MAY be requested include: A2 Internal security testing of a LAN; Application security testing of a web application server; and External penetration test of an organisation s Internet gateway. Typical constraints that MAY be placed on testing include: A3 Exclusion of sensitive or critical systems; Exclusion of particular techniques such as account password guessing; and No intrusive testing or exploitation of

vulnerabilities. The use of black and white listing of IP addresses. 2.2 Defining Scope Demonstrate the ability to define a scope of testing given certain customer requirements, timeframes and any constraints. The Candidate MUST demonstrate: B1 An understanding of scope restrictions on test practice. A comprehensive understanding of the requirements for testing safety critical or other designated high-risk systems. A comprehensive understanding of the practical issues regarding permission to test, especially in production and hosted environments. An understanding of how to apply a consistent methodology during test execution. A comprehensive understanding of test errors, including false-positive and falsenegative results and confirmation methods. A comprehensive understanding of record keeping. 2.3 Legal Issues Demonstrate an appropriate knowledge of law potentially relevant to security testing in a variety of situations in the country and region of certification. The Candidate SHOULD demonstrate C1 An understanding of the general international legal environment with regards to penetration testing. An understanding of major international

personal & corporate data protection regimes. An understanding of the legal regime regarding destructive testing applying to the jurisdiction within which they are taking the examination. An understanding of the e-crime legal regime applying to the jurisdiction within which they are taking the examination. A comprehensive understanding of the TigerScheme Code of Conduct. 2.4 Planning and Management Demonstrate the ability to develop a project plan for a given security testing requirement and defined scope. The candidate MUST be able to demonstrate awareness of the Requirement for suitable system access, D1 Requirement for testing authority documents to have been signed by all relevant parties including any third party hosting company or service providers; Requirement for physical access and escorts in a timely fashion. 2.5 Managing risk Demonstrate the ability to follow risk reduction procedures and liaise with the customer and other relevant parties to reduce the likelihood or impact of any unwanted issues arising from security testing. E1 E5 The candidate MUST demonstrate awareness of the risks associated with security testing that can impact on customer systems. The candidate MAY demonstrate the ability to suggest strategies aimed at reducing risk throughout the test, these would be expected to include ensuring that both the testing team and the customer have established point of contact for

emergencies. 2.5 Testing Methodology Demonstrate understanding of and adherence to a stated methodology for a given testing requirement and defined scope. The Candidate MUST demonstrate: F1 An understanding of scope restrictions on test practice. An understanding of the requirements for testing safety critical or other designated high-risk systems. An understanding of the practical issues regarding permission to test, especially in production and hosted environments. An understanding of how to apply a methodology during test execution. An understanding of test errors, including false-positive and false-negative results and confirmation methods. An understanding of record keeping. 2.6 Testing platform Demonstrate possession and use of a suitable well-maintained and configured testing platform. The candidate MUST be in possession of a laptop system that is suitable for performing a security test. The system may be configured with any choice of software and operating system(s) however the following conditions must be met: G1 All commercial software MUST be suitably licensed Anti-virus software SHOULD be installed and configured in such a way so as to not disrupt the security testing tools

3.0 Technical Expertise 3.1 Technology and Vulnerabilities Demonstrate awareness of existing and emerging security technologies likely to have relevance to security testing. Demonstrate knowledge of existing and emerging threats and vulnerabilities. The Candidate MUST demonstrate: H1 A comprehensive understanding of basic networking protocols. An understanding of common Internet encryption protocols (e.g. SSL/TLS, SSH) including encryption protocol negotiation and key exchange. An understanding of authentication protocols and techniques and their common weaknesses. An understanding of common computer hardware architectures. An understanding of operating systems in common commercial use. Possession and use vulnerability information. The Candidate SHOULD demonstrate H2 An understanding of Internet Routing. An understanding of security issues related to multi-protocol operations. An understanding of security issues related to communications protocol interfaces (e.g. LAN / WAN transitions). An appreciation of the security strengths and weaknesses of common networking protocols. An understanding of the appropriate use of encryption and the varying requirements for data (or link), end-to-end and storage

encryption. A practical understanding of encryption key lengths, negotiation and entropy. An understanding of the security strengths and weaknesses of common operating systems both in principle and as commonly implemented. The Candidate SHOULD demonstrate: H3 An understanding of the concepts of randomness and entropy as applied to encryption methods and keys. A detailed understanding of asymmetric encryption as applied to common Internet protocols. A detailed understanding of hybrid encryption as applied to common Internet protocols. A detailed understanding of symmetric encryption as applied to common Internet protocols. 3.2 Assessing Network Design Demonstrate the ability to assess network designs with regard to security and identify potential areas of risk. This will include aspects of network security such as network protocols, perimeter security, monitoring and general architecture. The Candidate MUST demonstrate: I1 A detailed understanding of Internet and network segment addressing, including CR, unassigned and invalid addresses RFC1918, NAT / PAT and ASNs. A detailed understanding of the use of active network tools to enumerate or confirm a network or infrastructure diagram. An understanding of the use and limitations of multi-homed and bridging devices. An understanding of Network Perimeter

devices and their effects on scanning. An understanding of the use and limitations of active network tools to determine the operating system(s) running on a target. The Candidate SHOULD demonstrate: I2 An understanding of the use of passive network tools to enumerate or confirm a network or infrastructure diagram. An understanding of port scanning and OS fingerprinting techniques along with their strengths and weaknesses. The Candidate MAY demonstrate: I3 An understanding of the differences between IP V4 and IP V6 addressing. An understanding of the roles of the Regional Internet Registries. An understanding of the effects and limitations of address spoofing. 3.3 Assessing Application Design Demonstrate the ability to assess an application design with regard to security and identify potential areas of risk. J1 The candidate MUST be able to demonstrate the ability to assess application architecture on paper and identify potential weaknesses and security issues. The candidate would also be expected to suggest generic recommendations for addressing any issues 3.4 Security Testing Enumeration Demonstrate a high level of proficiency in enumeration techniques employed during security tests on both network infrastructure and applications. K1 The candidate MUST demonstrate and discuss using open sources for gathering information

related to the target systems. K2 K3 K4 The candidate MUST demonstrate being able to use and explain active techniques for network topology identification. The candidate MUST demonstrate and explain active techniques for discovery of nodes on a network. The candidate MUST demonstrate and explain the use of service detection and identification tools to determine network services presented by a variety of systems including version numbers and vendors where appropriate. The candidate MUST demonstrate and explain the enumeration of data from a variety of common network services on various platforms including: K5 File-systems shared remotely User account information Service or system configuration and management 3.5 Security Testing Identification and Proof of Issues Demonstrate a high level of proficiency in the identification and subsequent analysis and subsequent proof of security issues on a range of networks, devices, operating systems and applications. L1 The candidate MUST demonstrate the ability to identify, the existence of various types of network infrastructure vulnerabilities such as Network protocol weaknesses and insecurities at all network layers The candidate MUST demonstrate the ability to identify, explain and prove the existence of the following types of Operating System vulnerabilities and exposures: L2 Known software vulnerabilities Inadequate access control of services Authentication Mechanisms

Management mechanism insecurities Remote and Local user access control insecurities L3 L4 The candidate MUST demonstrate the ability to perform a security build review of common Operating Systems. The candidate MUST be able to discuss current vulnerabilities in a variety of common Operating Systems. 3.6 Security Testing Classifying Risk Demonstrate a reasonable level of proficiency in the suitable classification and analysis of technical risk posed by various technical security vulnerabilities and exposures. This will include understanding of impact and the identification of any mitigating factors or controls. The candidate MUST be able to describe and understand the following aspects of a given security vulnerability/issue and how they relate to classifying an issue with regard to the risk that is posed: M1 The nature of the vulnerability How the vulnerability might be exploited The type of attacker capable of exploiting the vulnerability Any pre-requisites that an attacker would need to exploit the vulnerability The likelihood of a successful exploitation The presence of mitigating factors that prevent the exploitation or reduce the likelihood of a successful exploitation The technical impact to the target with regard to confidentiality, integrity and availability if the vulnerability is exploited M2 The candidate SHOULD be able to classify a number of given security issues with regard to risk posed and communicate this by attaching a quantity to the risk (e.g. High, Medium, Low or

5,4,3,2,1 etc.) 3.7 Remediation Demonstrate knowledge of the strategies and technology that can be used to counter a security threat. N1 The candidate MUST demonstrate some knowledge and understanding of remediation strategies and steps suitable for addressing a variety of identified security risks and vulnerabilities.

4 Deliverables 4.1 Management Presentation of Results Demonstrate the ability to produce a written and verbal summary of security testing results to a non-technical audience. O1 The candidate MUST be able to provide both a verbal and written summary of a security test to their line management. 4.2 Technical Presentation of Results Demonstrate the ability to document and explain identified security issues identifying the issue, impact, risk and suitable recommendations. P1 The candidate MUST be able to provide detailed information on identified security issues to their line management.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback